Analyzing NotDoor: Inside APT28's Expanding Arsenal

SUMMARY :

LAB52 has identified a new backdoor called NotDoor, attributed to APT28, a Russian intelligence-linked threat group. NotDoor is a VBA macro for Outlook that monitors incoming emails for specific trigger words, enabling data exfiltration, file uploads, and command execution on victim computers. The backdoor is deployed via Microsoft OneDrive.exe using DLL side-loading, and it establishes persistence by modifying registry keys. NotDoor employs obfuscation techniques and a custom string encoding method. It can execute commands, exfiltrate files, and upload files to the victim's machine. The malware demonstrates APT28's continuous evolution in bypassing defense mechanisms, posing a significant threat to NATO member countries across various sectors.

OPENCTI LABELS :

backdoor,nato,obfuscation,exfiltration,persistence,vba macro,dll side-loading,outlook,notdoor


AI COMMENTARY :

1. Analyzing NotDoor: Inside APT28’s Expanding Arsenal

An in depth look at the latest threat intelligence report reveals a new backdoor named NotDoor, attributed to the Russian intelligence linked group APT28. Discovered by LAB52, NotDoor demonstrates the adversary’s continued evolution in developing a VBA macro for Outlook that operates as a stealthy backdoor. This emerging threat leverages advanced obfuscation and persistence techniques, raising serious concerns for organizations in the NATO member countries and beyond.

2. Technical Deep Dive into NotDoor

NotDoor is implemented as a VBA macro embedded within Outlook, where it monitors incoming messages for specific trigger words. Once these triggers are detected, the backdoor activates and can execute system commands on the victim computer. In addition to running arbitrary commands, NotDoor can upload files to the local machine and exfiltrate sensitive data back to the adversary, making it a versatile tool for espionage operations.

3. DLL Side Loading and Persistence Mechanisms

LAB52’s analysis shows that NotDoor is deployed via a tampered Microsoft OneDrive.exe binary that employs DLL side loading to load the malicious payload. To maintain a foothold on infected systems, the backdoor modifies registry keys to ensure persistence across reboots. These tactics enable APT28 to sustain long term access while evading simple signature based defenses.

4. Obfuscation Strategies and Custom String Encoding

To hinder detection and analysis, NotDoor uses multiple layers of obfuscation. The VBA macro code is heavily scrambled to resist static code inspection tools. Furthermore, the backdoor incorporates a custom string encoding scheme that conceals critical instructions until runtime, complicating efforts by defenders to craft effective detection rules based on known indicators.

5. Exfiltration and File Upload Capabilities

One of the key strengths of NotDoor lies in its data exfiltration routines. Triggered by the specified keywords, the backdoor can systematically collect documents and system files for extraction. It can also receive and save additional payloads sent by the adversary, providing flexibility for extended operations. These combined functions make NotDoor a potent tool for intelligence gathering and sabotage.

6. Strategic Impact on NATO Member Countries

The discovery of NotDoor underscores APT28’s persistent efforts to refine its toolbox. With a history of targeting defense contractors, government agencies and critical infrastructure, the group poses a significant threat to NATO member states and allied organizations. The integration of obfuscation, persistence and advanced exfiltration capabilities highlights a higher threat level across government, military and diplomatic sectors.

7. Strengthening Defenses Against NotDoor

Organizations can counter the NotDoor threat by enforcing strict controls on VBA macro execution within Outlook and monitoring registry changes associated with persistence. Deploying behavioral analytics to detect anomalous OneDrive.exe activity and applying security controls to prevent DLL side loading are also critical. By integrating updated threat intelligence on NotDoor into security operations, defenders can improve their readiness against this latest APT28 backdoor.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Analyzing NotDoor: Inside APT28's Expanding Arsenal